Bug#298689: Bug with Debian Apache2 logrotate script

["Adam Conrad" <adconrad@0c3.net>]

Heiko St?wrote:
>
> Basically the problem is the postrotate command which calls
> /etc/init.d/apache2 restart and since version 2.0.53-5 this fully stops
> apache und then starts it again, killing the whole thing if the apache
> uses an SSL certificate with passphrase since nobody can enter it.

There are valid reasons we do it this way, as some modules have been known
to crash on any other type of restart.  It was the lesser of two evils
(or, the lesser of two unavoidable bug reports).  I will be revisiting the
fragility of apache's various restart/reload/graceful processes in
relation to 3rd party modules after Sarge releases, but for Sarge, this is
what we're stuck with.

Perhaps the more interesting question for you is: Why do you use
passphrases on your SSL certs?  If they're only readable by root, what
have you gained with a passphrase?

If I'm root, I can do arbitrary things to your webserver anyway, including
mucking with user sessions, inserting unwanted content, and hijacking
sensitive data, so I fail to see how a passphrase does anything but make
it more of a pain to both boot the machine and restart apache.  The day
someone comes up with a valid use case for passphrases on SSL certs is
perhaps the day I care more about this bug than some others. :)

> I know it's trivial to correct by myself but I try to keep the divergence
> to the debian packages real low

Everything in /etc/logrotate.d/ should be a conffile, so there's no harm
in you editing it.  Your changes won't be overwritten.

... Adam